End of Transport Layer Security (TLS) 1.0 Support as of April 30, 2018

End of Transport Layer Security (TLS) 1.0 Support as of April 30, 2018

The PCI Council has released a new update to the PCI Data Security Standard (version 3.1).

The main changes in version 3.1 are the deprecation of SSL 3.0 and TLS 1.0 as secure protocols. SSL and early TLS (TLS 1.0) are not anymore considered strong cryptography and therefore cannot be used as a security control.

To remain compliant with the PCI DSS standard, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or TLS 1.0 protocols.

Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).

For inbound communications (entering the gateway), we already support TLS 1.2. Please note that the system is backward compatible and we do still support previous version of TLS for now. However it is strongly recommended that you upgrade to TLS 1.2 as soon as possible.

For outbound communications (coming out of the gateway), TLS 1.2 will be available in our TEST and PROD environment as of April 2017. As of then you are encouraged to upgrade as soon as possible to TLS 1.2 and let us know if you encounter any issue.

Ingenico ePayments requires all merchants to upgrade their security protocol before April 30, 2018.

If you use our e-Commerce Hosted Payment Page product, the transactions are initiated from this product. Therefore there is not impact for the gateway inbound communications. However if you have implemented any of the outbound communications (such as the post-sale or offline status changes), you need to upgrade to TLS 1.2.

If the cardholder uses a deprecated browser, based on TLS 1.0, the payment page will not be displayed. There will be no specific warning on the issue. The cardholder will have to upgrade to a newer web browser.

TLS 1.1 will not be deprecated in the near future and can therefore be used. However, for security reasons, we do recommend to always use the latest version of the protocols, and therefore advise to upgrade to TLS 1.2.

The PCI council requires Payment Service Providers like Ingenico ePayments to depreciate older protocols that are no longer considered secure. This means that post-sale exchanges using TLS 1.0 will be considered as not secure by our payment engines and will fail.

If the cardholder uses a deprecated browser or old device that does not support the TLS 1.1 or TLS 1.2, security protocol, the payment page will not be displayed. There will be no specific warning on the issue. The cardholder will have to upgrade to a newer web browser.
As a merchant, you could mitigate the risk of lost transactions by advising users to upgrade their browsers.
The Wikipedia page on TLS provides a complete and comprehensive overview of which browser versions and devices support which security protocols. https://en.wikipedia.org/wiki/Transport_Layer_Security

Ingenico ePayments is the online and mobile commerce division of Ingenico Group. We connect merchants and consumers, enabling businesses everywhere to go further beyond today’s boundaries and creating the future of global commerce. As industry leaders since 1994, our innovative spirit drives us forward across all channels. We are the trusted partner of over 65,000 small and large merchants who rely on us to make payments easy and secure for their customers. With advanced data analytics, fraud management solutions and cross-border commerce expertise, we help merchants optimize their business and grow into new markets around the world.

Learn more

This website uses cookies to be able to give you the best user experience. If you don't want to accept these cookies, we allow you to change the cookie settings. Click 'Accept' to allow all cookies from this website.